Researchers reveal holes in Chrome OS security

Cloud-based operating system isn't as safe as Google thought
Emma Woollacott

August 5, 2011
Google Chromebook

Well, so much for Google’s Chrome OS being malware-free. Two security researchers say they’ve found a series of security issues which could still be used to push malicious programs to devices running Chrome, hijack Google or other online accounts of Chrome users and steal sensitive information.

Chrome OS devices don’t use internal hard drives. And because users can’t actually install or execute code on a ChromeBook, but are limited to downloading Chrome extensions, Google reckoned it was safe from attack.

But speaking at the Black Hat conference, Matt Johansen and Kyle Osborn of WhiteHat Security say this isn’t actually the case. When everything’s running as an extension in the browser, they say, JavaScript code can be vulnerable to a cross site scripting (XSS) attack.

APIs such as and chrome.tabs allow new browser windows to be opened and scripts to run automatically upon accessing a specific website, they say. And this could be used to initiate attacks against banking or e-commerce sites, for example.

The researchers cited one notepad application, Scratchpad, which comes bundled with the Chrome OS on Chromebooks. This, they note, contained a cross site scripting vulnerability that could allow one Chrome user to hijack another’s Google account and capture their Google contacts and other data.

Google’s since fixed that problem, however, according to the pair.

But they demonstrated a custom extension that can allow an attacker to launch an internal port scan from the web browser - and say they were able to upload it to the Chrome web store, where it could have been downloaded by others.

“While it is easy to write a malicious application and upload it to the Chrome Web Store, you would have a difficult time getting a large number of people to install it,” says Chester Wisniewski of security firm Sophos.

“The worrying part is that any existing popular extensions which contain vulnerabilities could allow for an attacker to arbitrarily hijack everything that occurs in your browser session. Scary.”

The researchers say that Google is considering introducing application-specific APIs that would give tighter control of access permissions.


Post a comment

Your email address will not be published. Required fields are marked *

Visited 1983 times, 1 so far today